Author: coheigea
Date: Wed Nov 9 18:05:04 2011
New Revision: 1199896
URL: http://svn.apache.org/viewvc?rev=1199896&view=rev
Log:
Added policy validation for SecurityContextTokens as EndorsingSupportingTokens
- Added support for derived key policy validation as well for
EndorsingSupportingTokens
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1199896&r1=1199895&r2=1199896&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
Wed Nov 9 18:05:04 2011
@@ -37,6 +37,7 @@ import org.apache.cxf.ws.policy.Assertio
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.KerberosToken;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
import org.apache.cxf.ws.security.policy.model.SupportingToken;
import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.cxf.ws.security.policy.model.X509Token;
@@ -100,12 +101,18 @@ public class EndorsingTokenPolicyValidat
if (!isTokenRequired(token, message)) {
continue;
}
- if (token instanceof KerberosToken &&
!processKerberosTokens()) {
+ boolean derived = token.isDerivedKeys();
+ if (token instanceof KerberosToken &&
!processKerberosTokens(derived)) {
ai.setNotAsserted(
"The received token does not match the supporting
token requirement"
);
return false;
- } else if (token instanceof X509Token &&
!processX509Tokens()) {
+ } else if (token instanceof X509Token &&
!processX509Tokens(derived)) {
+ ai.setNotAsserted(
+ "The received token does not match the supporting
token requirement"
+ );
+ return false;
+ } else if (token instanceof SecurityContextToken &&
!processSCTokens(derived)) {
ai.setNotAsserted(
"The received token does not match the supporting
token requirement"
);
@@ -118,7 +125,7 @@ public class EndorsingTokenPolicyValidat
return true;
}
- private boolean processKerberosTokens() {
+ private boolean processKerberosTokens(boolean derived) {
List<WSSecurityEngineResult> tokenResults = new
ArrayList<WSSecurityEngineResult>();
for (WSSecurityEngineResult wser : results) {
Integer actInt =
(Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
@@ -126,6 +133,13 @@ public class EndorsingTokenPolicyValidat
BinarySecurity binarySecurity =
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof KerberosSecurity) {
+ if (derived) {
+ byte[] secret =
(byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+ WSSecurityEngineResult dktResult =
getMatchingDerivedKey(secret);
+ if (dktResult != null) {
+ tokenResults.add(dktResult);
+ }
+ }
tokenResults.add(wser);
}
}
@@ -138,7 +152,7 @@ public class EndorsingTokenPolicyValidat
return checkEndorsed(tokenResults, tls);
}
- private boolean processX509Tokens() {
+ private boolean processX509Tokens(boolean derived) {
List<WSSecurityEngineResult> tokenResults = new
ArrayList<WSSecurityEngineResult>();
for (WSSecurityEngineResult wser : results) {
Integer actInt =
(Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
@@ -147,6 +161,12 @@ public class EndorsingTokenPolicyValidat
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof X509Security
|| binarySecurity instanceof PKIPathSecurity) {
+ if (derived) {
+ WSSecurityEngineResult resultToStore =
processX509DerivedTokenResult(wser);
+ if (resultToStore != null) {
+ tokenResults.add(resultToStore);
+ }
+ }
tokenResults.add(wser);
}
}
@@ -159,6 +179,77 @@ public class EndorsingTokenPolicyValidat
return checkEndorsed(tokenResults, tls);
}
+ private WSSecurityEngineResult
processX509DerivedTokenResult(WSSecurityEngineResult result) {
+ X509Certificate cert =
+
(X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert);
+ if (encrResult != null) {
+ byte[] secret =
(byte[])encrResult.get(WSSecurityEngineResult.TAG_SECRET);
+ WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
+ if (dktResult != null) {
+ return dktResult;
+ }
+ }
+ return null;
+ }
+
+ private boolean processSCTokens(boolean derived) {
+ List<WSSecurityEngineResult> tokenResults = new
ArrayList<WSSecurityEngineResult>();
+ for (WSSecurityEngineResult wser : results) {
+ Integer actInt =
(Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == WSConstants.SCT) {
+ if (derived) {
+ byte[] secret =
(byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+ WSSecurityEngineResult dktResult =
getMatchingDerivedKey(secret);
+ if (dktResult != null) {
+ tokenResults.add(dktResult);
+ }
+ }
+ tokenResults.add(wser);
+ }
+ }
+
+ if (tokenResults.isEmpty()) {
+ return false;
+ }
+
+ return checkEndorsed(tokenResults, tls);
+ }
+
+ /**
+ * Get a security result representing a Derived Key that has a secret key
that
+ * matches the parameter.
+ */
+ private WSSecurityEngineResult getMatchingDerivedKey(byte[] secret) {
+ for (WSSecurityEngineResult wser : results) {
+ Integer actInt =
(Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == WSConstants.DKT) {
+ byte[] dktSecret =
(byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+ if (Arrays.equals(secret, dktSecret)) {
+ return wser;
+ }
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Get a security result representing an EncryptedKey that matches the
parameter.
+ */
+ private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate
cert) {
+ for (WSSecurityEngineResult wser : results) {
+ Integer actInt =
(Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == WSConstants.ENCR) {
+ X509Certificate encrCert =
+
(X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ if (cert.equals(encrCert)) {
+ return wser;
+ }
+ }
+ }
+ return null;
+ }
+
/**
* Check the endorsing supporting token policy. If we're using the
Transport Binding then
* check that the Timestamp is signed. Otherwise, check that the signature
is signed.
@@ -237,22 +328,24 @@ public class EndorsingTokenPolicyValidat
// Now see if the same credential exists in the tokenResult list
for (WSSecurityEngineResult token : tokenResult) {
- Integer actInt =
(Integer)token.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.BST) {
- BinarySecurity binarySecurity =
-
(BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- if (binarySecurity instanceof X509Security
- || binarySecurity instanceof PKIPathSecurity) {
- X509Certificate foundCert =
-
(X509Certificate)token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
- if (foundCert.equals(cert)) {
- return true;
- }
- } else if (binarySecurity instanceof KerberosSecurity) {
- byte[] foundSecret =
(byte[])token.get(WSSecurityEngineResult.TAG_SECRET);
- if (foundSecret != null && Arrays.equals(foundSecret,
secret)) {
- return true;
- }
+ BinarySecurity binarySecurity =
+
(BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ if (binarySecurity instanceof X509Security
+ || binarySecurity instanceof PKIPathSecurity) {
+ X509Certificate foundCert =
+
(X509Certificate)token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ if (foundCert.equals(cert)) {
+ return true;
+ }
+ } else {
+ byte[] foundSecret =
(byte[])token.get(WSSecurityEngineResult.TAG_SECRET);
+ if (foundSecret != null && Arrays.equals(foundSecret, secret))
{
+ return true;
+ }
+ byte[] derivedKey =
+
(byte[])token.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY);
+ if (derivedKey != null && Arrays.equals(derivedKey, secret)) {
+ return true;
}
}
}
Modified:
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1199896&r1=1199895&r2=1199896&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
(original)
+++
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
Wed Nov 9 18:05:04 2011
@@ -41,6 +41,7 @@ import wssec.x509.DoubleItService;
*/
public class X509TokenTest extends AbstractBusClientServerTestBase {
static final String PORT = allocatePort(Server.class);
+ static final String PORT2 = allocatePort(Server.class, 2);
private boolean unrestrictedPoliciesInstalled =
checkUnrestrictedPoliciesInstalled();
@@ -168,6 +169,25 @@ public class X509TokenTest extends Abstr
x509Port.doubleIt(BigInteger.valueOf(25));
}
+ @org.junit.Test
+ public void testTransportEndorsing() throws Exception {
+ if (!unrestrictedPoliciesInstalled) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ DoubleItService service = new DoubleItService();
+ DoubleItPortType x509Port =
service.getDoubleItTransportEndorsingPort();
+ updateAddressPort(x509Port, PORT2);
+ x509Port.doubleIt(BigInteger.valueOf(25));
+ }
+
private boolean checkUnrestrictedPoliciesInstalled() {
try {
byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1199896&r1=1199895&r2=1199896&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
Wed Nov 9 18:05:04 2011
@@ -103,4 +103,23 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://WSSec/x509}DoubleItTransportEndorsingPort";
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.signature.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.callback-handler"
+
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
+
+ <http:conduit name="https://localhost:.*";>
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="password"
resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+ </sec:trustManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
+
</beans>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1199896&r1=1199895&r2=1199896&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
Wed Nov 9 18:05:04 2011
@@ -45,6 +45,29 @@
<cxf:logging/>
</cxf:features>
</cxf:bus>
+
+ <!-- -->
+ <!-- Any services listening on port 9009 must use the following -->
+ <!-- Transport Layer Security (TLS) settings -->
+ <!-- -->
+ <httpj:engine-factory id="tls-settings">
+ <httpj:engine port="${testutil.ports.Server.2}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password"
resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_EXPORT_.*</sec:include>
+ <sec:include>.*_EXPORT1024_.*</sec:include>
+ <sec:include>.*_WITH_DES_.*</sec:include>
+ <sec:include>.*_WITH_AES_.*</sec:include>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ <sec:exclude>.*_DH_anon_.*</sec:exclude>
+ </sec:cipherSuitesFilter>
+ <sec:clientAuthentication want="true" required="false"/>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
<jaxws:endpoint
id="KeyIdentifier"
@@ -164,4 +187,21 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="TransportEndorsing"
+
address="https://localhost:${testutil.ports.Server.2}/DoubleItX509TransportEndorsing";
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItTransportEndorsingPort"
+ xmlns:s="http://WSSec/x509";
+ implementor="org.apache.cxf.systest.ws.x509.server.DoubleItImpl"
+ wsdlLocation="wsdl_systest_wssec/x509/DoubleItX509.wsdl"
+ depends-on="tls-settings">
+
+ <jaxws:properties>
+ <entry key="ws-security.encryption.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
</beans>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl?rev=1199896&r1=1199895&r2=1199896&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl
Wed Nov 9 18:05:04 2011
@@ -187,6 +187,25 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItTransportEndorsingBinding"
type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItTransportEndorsingPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http"; />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItKeyIdentifierPort"
binding="tns:DoubleItKeyIdentifierBinding">
@@ -210,6 +229,10 @@
binding="tns:DoubleItSymmetricProtectTokensBinding">
<soap:address
location="http://localhost:9001/DoubleItX509SymmetricProtect"; />
</wsdl:port>
+ <wsdl:port name="DoubleItTransportEndorsingPort"
+ binding="tns:DoubleItTransportEndorsingBinding">
+ <soap:address
location="https://localhost:9002/DoubleItX509TransportEndorsing"; />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItKeyIdentifierPolicy">
@@ -440,6 +463,43 @@
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItTransportEndorsingPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:TransportBinding>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken
RequireClientCertificate="false" />
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:EndorsingSupportingTokens>
+ <wsp:Policy>
+ <sp:X509Token
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:EndorsingSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
